All geek questions in one place

JSF and PrettyFaces - How to limit direct xhtml requests

I am new to JSF and PrettyFaces. So now I found out that I can configure PrettyFaces to β€œforward” the request to the .xhtml file to the right. The problem is that I (or the user, if he knows my folder structure) can also request a file. This is my example:

Files: webbapp / mypage.xhtml

I added the following lines to pretty-config.xml:

<url-mapping id="myPageId"> <pattern value="/prettyurltomypage" /> <view-id value="/mypage.xhtml" /> </url-mapping>

The PrettyFaces filter is set to intercept on "/". The Faces front controller is configured to handle all ".xhtml" requests. When I request ...

 http://localhost:8080/myapp/prettyurltomypage

... everything is good. My problem is that I can also request ...

 http://localhost:8080/myapp/mypage.xhtml

How can I limit .xhtml requests? My goal is to make jsf / server the default 404 page.

My solution (so far) was to define a rewrite rule in pretty-config.xml:

 <rewrite match="/mypage.xhtml" substitute="/prettyurltomypage" redirect="301" />

Is there any other (smarter) way?

+6
source share
3 answers

This can be done by marking the XHTML files as web resources in the deployment descriptor.
To do this, you can add something like this to your web.xml :

 <security-constraint> <display-name>Restrict direct access to XHTML files</display-name> <web-resource-collection> <web-resource-name>XHTML files</web-resource-name> <url-pattern>*.xhtml</url-pattern> </web-resource-collection> <auth-constraint/> </security-constraint>

If you want to know more about security restrictions, there is a brief article in Javalov.

+6
source

Yes, if you just want to block access to direct pages, this is probably the best way to get around using something like a custom security package. Otherwise, if you just want to make sure the pages are displayed correctly. In fact, you can simply change the display of your faces servlet to .xhtml, which means that your source will not be displayed when people access pages.

 <servlet-mapping> <servlet-name>Faces Servlet</servlet-name> <url-pattern>*.faces</url-pattern> </servlet-mapping>

If you want to make more complex rewrite rules to actually block pages, you might want to consider using a custom rewrite processor and implementing a processor interface.

http://ocpsoft.com/docs/prettyfaces/3.3.0/en-US/html_single/#inbound_rewriting.options

User processors have access to HttpServletRequest and HttpServletResponse and trigger both inbound and outbound rewrites: you can do more complex things using this interface:

 /** * Perform a rewrite operation on a given URL, utilizing any necessary information from the given {@link RewriteRule} * configuration object from which the processor was invoked. * * @author Lincoln Baxter, III < lincoln@ocpsoft.com > */ public interface Processor { /** * Process an inbound URL Rewrite request. This takes place when the request first comes in to the server and passes * through {@link RewriteFilter} */ String processInbound(HttpServletRequest request, HttpServletResponse response, RewriteRule rule, String url); /** * Process an outbound URL Rewrite request. This takes place when a URL is passed in to * {@link HttpServletResponse#encodeRedirectURL(String)}, and since most frameworks ensure the call to * 'encodeRedirectUrl()' occurs automatically, can be assumed to occur whenever a URL would be rendered to HTML * output. */ String processOutbound(HttpServletRequest request, HttpServletResponse response, RewriteRule rule, String url); }

Otherwise, what you do will work, and until OCPSoft Rewrite https://github.com/ocpsoft/rewrite (who is also behind PrettyFaces) is released, in which If you could do it pretty easy with a simple inbound rewrite rule:

 package com.example; public class ExampleConfigurationProvider extends HttpConfigurationProvider { @Override public int priority() { return 10; } @Override public Configuration getConfiguration(final ServletContext context) { return ConfigurationBuilder.begin() .defineRule() .when(Direction.isInbound().and(DispatchType.isRequest()).and(Path.matches(".*\\.xhtml")).andNot(Path.matches(".*javax.faces.resource.*"))) .perform(SendStatus.code(404)); } }

This rewrite rule will block access to incoming HTTP requests in .XHTML files, while allowing forwarding, as well as errors or asynchronous requests. It will also leave the JSF2 Resource API in a functional state, which is not the case if you use the Java EE security constraint, as suggested in another answer.

Hope this helps, Lincoln

+3
source

See the following problem: http://code.google.com/p/prettyfaces/issues/detail?id=116

Hope this helps you

0
source

Source: https://habr.com/ru/post/894174/

More articles:


All Articles